Chapter 8. SNMP Security

The Simple Network Management Protocol (SNMP) is an extremely useful protocol for monitoring and managing TCP/IP networks. Most networked systems come with at least a basic SNMP service enabled by default, allowing you to collect information about your network remotely. If write access is enabled, SNMP can also be used to configure devices on your network remotely.

Since read-only SNMP is enabled by default on many systems, it is an attacker’s dream. An attacker can use SNMP to map out your entire network, find out MAC and IP address binding, and even find out exactly what hardware you are using and what software versions you are running. At attacker can then use that information to search vulnerability databases and analyze your network for vulnerable trust relationships.

The following example shows just how much information an attacker can gain about your router and network through unsecured SNMP. Using the Net-SNMP snmpwalk program to get the routers system information through SNMP, you see:

% snmpwalk -v1 RouterOne public system
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.0(5)T1,  RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 17-Aug-99 13:18 by cmong
system.sysContact.0 = Jane Doe <[email protected]>  - Office BB 983 - x3334
system.sysName.0 = RouterOne
system.sysLocation.0 = Building A Basement - Closet 936

You now have the exact hardware and software versions of this router, contact information, the router’s name, and its physical location.

This is only the tip of the iceberg; from a full snmpwalk you get a list of each interface on this router, what types of interfaces they are, and their physical and network addresses. Additionally, you can get a complete list of this router’s routing tables, ARP tables, and even how long the router has been up since the last boot. All of this information is a gold mine for someone trying to break into your network. With this information, an attacker often understands your network better than you do.

Tip

Net-SNMP is a suite of tools that includes an open source SNMP server and can be found at http://net-snmp.sourceforge.net. For more information on SNMP in general, see http://www.simpleweb.org.

SNMP Versions

Three main versions of SNMP are in use today. The oldest and most widely used is SNMP Version 1. The second, SNMP v2c, has a few improvements over SNMP v1, but uses the same methods for security. SNMP v3 has enhanced security measures that allow the use of SNMP in environments requiring additional security.

SNMP Version 1

SNMP v1 gained popularity in the early 1990s and quickly became the standard way to monitor network devices remotely. It was quickly discovered that SNMP v1 had some inherent security flaws, but at the time, because it was so useful and e-commerce was in its infancy, few worried about these flaws. As the Internet progressed and more servers containing sensitive information were attached, the security flaw of SNMP v1 became more problematic.

A key security flaw in SNMP v1 is that the only authentication available is through a community string. Think of a community string as a group password—anyone who knows the community string is allowed access. Adding to this problem is the fact that all SNMP v1 packets are passed unencrypted across the network. Therefore, anyone who can sniff a single SNMP packet now has the community string needed to get access.

SNMP Version 2c

SNMP v2 was the first attempt to fix these security flaws. However, the members of the Internet Engineering Task Force (IETF) subcommittee responsible for the v2 standard had trouble agreeing on the security and administrative aspects of the protocol. Therefore, SNMP v2 never really took off. The only prevalent version of SNMP v2 today is SNMP v2c, which contains SNMP v2 protocol enhancements, but leaves out the security features that no one could agree on. The c designates v2c as being “community based,” which means that it uses the same authentication mechanism as v1—community strings.

SNMP Version 3

SNMP v3 was the next attempt to fix the security vulnerabilities inherent to SNMP v1 and v2c. SNMP v3 provides many security enhancement, but is currently still a draft-standard and not yet a full standard. This has kept many vendors from implementing SNMP v3 or caused them to develop proprietary versions of SNMP v3. The key security additions to SNMP v3 are that it:

  • Can use MD5 or SHA hashes for authentication

  • Can encrypt the entire packet

  • Can guarantee message integrity

SNMP v3 allows you to choose to use no authentication and no encryption (NoAuthNoPriv), authentication but no encryption (AuthNoPriv), or authentication and encryption (AuthPriv). See Table 8-1 for a comparison of SNMP version features.

Table 8-1. Cisco router SNMP version comparison

Version

Authentication

Encryption

Function

v1

Community strings

None

Uses community string for authentication. Packet is passed in clear text.

v2

Community strings

None

Uses community string for authentication. Packet is passed in clear text.

v3 (NoAuthNoPriv)

Username

None

Uses username for authentication. Packet is passed in clear text.

v3 (AuthNoPriv)

MD5 or SHA

None

Uses HMAC-MD5 or HMAC-SHA for authentication. Remaining packet is passed in clear text.

v3 (AuthPriv)

MD5 or SHA

DES

Uses HMAC-MD5 or HMAC-SHA for authentication. Entire packet is encrypted.

If you are new to SNMP, start with SNMP v1 to learn how SNMP works. On smaller, low-risk networks, SNMP v1 or v2c can be used regularly if community strings are changed and access is restricted to specific IP addresses. On larger, more sensitive networks, however, It is recommended that you use either SNMP v3 with encryption and authentication or IPSec to encrypt the SNMP v1 traffic between your routers and management stations.

Despite the benefits of SNMP v3, you will face some significant hurdles in its implementation. First, very few vendors who sell software for SNMP management stations currently support SNMP v3. Second, SNMP v3 uses Data Encryption Standard (DES) encryption, which many security professionals consider to be too weak to be effective for high-security networks.

Securing SNMP v1 and v2c

Since SNMP v1 and v2c use the same community-based authentication methods, they are grouped together on Cisco routers. You either enable both or neither.

Enabling SNMP v1 and v2c

First, for security reasons, it is strongly recommended that you disable SNMP v1 and v2c on all your routers. SNMP v3 is much better suited for secure enterprise-wide use. However, if SNMP v1 or v2 must be used, then the following security precautions must be taken:

  • Do not enable read/write access unless absolutely necessary.

  • Choose secure (difficult to guess) community strings. Ideally, you would use different community strings on each router, but this usually isn’t practical due to the way most SNMP network management servers function.

  • Limit all SNMP access to specific IP addresses using ACLs.

  • Limit SNMP output with views.

The rest of this section discusses how to accomplish these tasks and make SNMP v1 and v2c as secure as possible.

Community strings

When enabling SNMP v1 and v2c, two levels of privilege can be configured. The first is read-only; the second, read/write. Read-only allows remote users to use SNMP to get statistics and information from the router, but allows no changes to made to the router itself. Read/write access allows remote users to read information from the router and reconfigure the router.

Community strings are the basis for SNMP v1 and v2c authentication. Unless additional IP-based restrictions are configured, anyone who knows the community string can access the router. There are two serious repercussions to this. First, most network devices ship with a default read-only community string, public. This default community string is well known and should never be used. The default community string for read/write access is private. Again, this string is well known, and if read/write access is enabled, it should be changed. The same rules for choosing a good password apply to choosing a good community string. See Section 4.5 of Chapter 4 for information on choosing strong community strings. Next, with SNMP v1 and v2c, the community string is passed in clear text across the network. This makes their secure use extremely limited since anyone with a sniffer can obtain your community strings and therefore access your routers. If you decide to use SNMP v1 or v2c, make sure your organization can live with these risks. Many organizations choose to use read-only SNMP v1 or v2c, restricted by IP address to specific internal machines, and totally block SNMP access on all external router interfaces.

Read-only access

To configure read-only SNMP v1 and v2c access, use the snmp-server community command followed by a community string and the RO keyword:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server community UnGuessableStringReadOnly  RO
Router(config)#^Z

Read/write access

To configure read/write SNMP v1 and v2c access, use the snmp-server command followed by a different community string and the RW keyword:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server community UnGuessableStringWriteable RW
Router(config)#^Z

Disabling SNMP v1 and v2c

Disabling SNMP can be done entirely with the command no snmp-server. Use the following example to specifically disable read/write or read-only access.

Warning

Using the no snmp-server command disables all SNMP versions on your router. However, until the system is rebooted, it holds the previous SNMP configuration in memory. The configuration is inactive, but if you reenable SNMP, this previous configuration information can sometimes be reloaded into the running configuration. This can be especially tricky in cases when you have SNMP v1 and v2c enabled; use the no snmp-server command to disable SNMP and then configure SNMP v3. Make sure that your previous SNMP v1 and v2c configurations have not been restored without your knowledge.

Disabling read-only access

To disable read-only SNMP v1 and v2c access, explicitly use the no snmp-server community command followed by the read-only community string and the RO keyword. If your read-only community string is UnGuessableStringReadOnly, you would input:

Router#config terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no snmp-server community UnGuessableStringReadOnly  RO Router(config)#^Z

Disabling read/write access

To disable read/write SNMP v1 and v2c access, explicitly use the no snmp-server community command followed by the read/write community string and the RW keyword. If your read/write community string is UnGuessableStringWritable, you would type:

Router#config terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no snmp-server community UnGuessableStringWriteable  RW
Router(config)#^Z

Limiting SNMP v1 and v2c Access by IP

You should always limit SNMP access to only a few specific IP addresses; this is especially true when using SNMP v1 and v2c. To do this:

  1. Create an appropriate ACL.

  2. Configure read-only or read/write access to use that ACL.

Read-only access

Restricting read-only access by IP address uses the same command as enabling read-only SNMP, with one addition: you append the number of ACL. To restrict read-only SNMP access to the IP addresses 130.218.10.8 and 130.218.14.7, you would type:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 6  permit 130.218.10.8
Router(config)#access-list 6  permit 130.218.14.7
Router(config)#access-list 6  deny any
Router(config)#snmp-server community UnGuessableStringReadOnly  RO 6
Router(config)#^Z

Read/write access

Restricting read/write access is almost the same as the previous example with the exception of the RW keyword in place or RO. Restricting read/write access to the same IPs as before—130.218.10.8 and 130.218.14.7—would require:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 8  permit 130.218.10.8
Router(config)#access-list 8  permit 130.218.14.7
Router(config)#access-list 8  deny any
Router(config)#snmp-server community UnGuessableStringWriteable  RW 8
Router(config)#^Z

Since the IPs in both examples are the same, you don’t have to create a separate ACL and can use the same ACL, number 6, to restrict both read-only and read/write access.

Warning

Read-only SNMP access allows an attacker to see how your router and network are configured. While this is extremely valuable information, it doesn’t come close to what an attacker can do with read/write access. Read/write access gives an attacker complete control over your router. Using SNMPset, an attacker can completely reconfigure your router, including resetting your passwords, disabling ACLs, and redirecting traffic.

SNMP Read/Write and TFTP

There is a major security risk associated with SNMP read/write access that involves TFTP. When SNMP read/write access is enabled, attackers can use SNMP to cause the router to either TFTP its configuration file to them, or even have the router load a new configuration from an arbitrary TFTP server. To avoid this problem, it is important to use the snmp-server tftp-server-list command to limit what IP addresses are allowed to use TFTP servers via SNMP.

The following example shows how to use an ACL to restrict SNMP-controlled TFTP access to the IP 130.8.4.9:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#access-list 98  permit host 130.8.4.9
RouterOne(config)#access-list 98  deny any     
RouterOne(config)#snmp-server tftp-server-list 98
RouterOne(config)#^Z

If you don’t use TFTP, then create an empty ACL and apply it. Since ACLs are default deny, this will keep anyone from using SNMP and TFTP to manipulate your router.

Warning

Cisco routers have a command that enables them to be rebooted through SNMP remotely—snmp-server system-shutdown. This command is disabled by default and should not be turned on. The potential for abuse greatly outweighs the utility of this feature.

Limiting SNMP v1 and v2c Access with Views

Another way to help secure SNMP v1 and v2c is to limit what information remote systems can see. This is extremely useful when only specific information is needed through SNMP. To use views:

  1. Create a view specifying what information is allowed to be seen using the snmp-server view command.

  2. Create a new community string with the snmp-server community command that specifies the view we created previously.

    Tip

    The SNMP MIB defines what information you can retrieve or set through SNMP. Standard MIBs, such as MIB-II, are supported by every network device, and proprietary MIBs are only for specific products. MIBs consist of a treelike structure and are organized with Object Identifiers (OID). Knowing the OID lets you access the specific information you are looking for. For more information on MIBs and OIDs, see http://www.simpleweb.org.

The snmp-server view command takes three arguments. The first is the name you want to call the view, then the table name or MIB Object Identifier (OID), and finally the keyword include or exclude. If you know SNMP well, you can create advanced lists by using the OID numbers. If you’re not an SNMP expert, you can use table names such as IP, ICMP, TCP, SYSTEM, INTERFACES, and so on. Like access lists, the default policy of a view is to deny access and not return any data. The following example creates a view called tcp-only that allows access to the MIB objects only under the TCP table:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view tcp-only  tcp include
Router(config)#snmp-server community TcpOnlyCommunityString  view tcp-only
Router(config)#^Z

Now, when you attempt to get SNMP information from the router using the TcpOnlyCommunityString command, you see only the information in the TCP table:

% snmpwalk -v1 RouterOne TcpOnlyCommunityString
tcp.tcpRtoAlgorithm.0 = vanj(4)
tcp.tcpRtoMin.0 = 300 milliseconds
tcp.tcpRtoMax.0 = 60000 milliseconds
tcp.tcpMaxConn.0 = -1
tcp.tcpActiveOpens.0 = 0
tcp.tcpPassiveOpens.0 = 2
tcp.tcpAttemptFails.0 = 0
tcp.tcpEstabResets.0 = 0
tcp.tcpCurrEstab.0 = Gauge: 1
tcp.tcpInSegs.0 = 3698
tcp.tcpOutSegs.0 = 2549
tcp.tcpRetransSegs.0 = 1
tcp.tcpConnTable.tcpConnEntry.tcpConnState.130.218.9.50.23.130.218.59.1.64880 
= established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.130.218.9.50.23.130.218.9.41.64880 
= IpAddress: 130.218.59.250
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.130.218.9.50.23.130.218.9.41.64880 
= 23
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.130.218.9.50.23.130.218.9.41.64880 
= IpAddress: 130.218.59.41
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.130.218.9.50.23.130.218.9.41.64880 
= 64880
tcp.tcpInErrs.0 = 0
tcp.tcpOutRsts.0 = 0
End of MIB

Table 8-2 contains some useful keywords for creating views.

Table 8-2. SNMP keywords

SNMP MIB keyword

Reported information

System

Information about the system, including hardware, software, contact, and location

Interfaces

Information about every interface on the system, including packets in, packets out, errors, etc.

at

The ARP table mappings

Ip

IP statistics and tables including the routing tables

Icmp

ICMP statistics

tcp

TCP statistics, including the connection tables with port numbers

udp

UDP statistics, including the connection tables with port numbers

snmp

SNMP statistics

Finally, one of the most useful features of SNMP views is its ability to limit SNMP write access in addition to limiting read-only access.

Tip

SNMP v3 is not yet a full standard. Many vendors have not implemented it or have implemented incompatible versions of SNMP v3. One way to get the advantages of SNMP v3 authentication and encryption while still using SNMP v1 or SNMP v2 is to use IPSec between the router and the SNMP management station. See Chapter 3 for more information on configuring IPSec.

Securing SNMP v3

In relation to security, the major change in SNMP v3 is the ability to authenticate and encrypt SNMP packets. This ability allows you to use SNMP securely across untrustworthy networks. The current disadvantage of SNMP v3, however, is that it is not supported on all network devices or all network management stations. Cisco routers running IOS 12.0(3)T and above include SNMP v3 support.

The three levels of SNMP v3 security are no authentication and no encryption, authentication and no encryption, and authentication and encryption. SNMP v3 specifies these levels as NoAuthNoPriv, AuthNoPriv, and AuthPriv, respectively. Table 8-3 shows the Cisco keywords that map to these security levels.

Table 8-3. SNMP security and Cisco keywords

SNMP security keyword

Cisco keyword

NoAuthNoPriv

Noauth

AuthNoPriv

Auth

AuthPriv

Priv

Whenever you see a router command that specifies priv as the SNMP v3 security level, it really indicates both authentication and encryption.

No Authentication/No Encryption

The least-secure method of SNMP v3 uses no authentication and no encryption. This is referred to as NoAuthNoPriv. With this type of SNMP v3 packet, the only type of access control is through a username. To configure SNMP v3 NoAuthNoPriv access on a router, you must:

  1. Configure an SNMP v3 group that specifies no authentication with the snmp-server group command and the noauth keyword.

  2. Create an SNMP v3 user in that group with the snmp-server user command.

The snmp-server group command can take many different arguments, depending on how you want the group set up. The first two arguments indicate the name of the group and the SNMP version of the group. Additional arguments can specify access lists, restricted views, or authentication and encryption methods. In the following example, the v3 indicates SNMP v3 and noauth indicates that no authentication or encryption is to be used.

The snmp-server user command also takes various arguments. The first three are the name of the user, the name of the group that user belongs to, and the SNMP version that user runs. Additional arguments specify authentication and encryption information:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server group NoAuthGroup  v3 noauth                    
Router(config)#snmp-server user MyUser1 NoAuthGroup  v3 
Router(config)#^Z

Now you can use unauthenticated and unencrypted SNMP to access information about the router by specifying user MyUser1:

% snmpwalk -v 3 -l NoAuthNoPriv -u MyUser1 RouterOne
system.sysDescr.0 = Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-IS56I-M), Version 12.1(1), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 15-Mar-00 03:45 by cmong
system.sysObjectID.0 = OID: enterprises.9.1.208
system.sysUpTime.0 = Timeticks: (888383) 2:28:03.83
system.sysContact.0 = 
system.sysName.0 = RouterOne.kennesaw.edu
[ cut ]

Using no authentication and no encryption (NoAuthNoPriv) means that you are still vulnerable to someone sniffing your username and gaining SNMP access. If you are going to use SNMP v3, it is recommended that you use both authentication and encryption (AuthPriv).

Authentication/No Encryption

The level of protection above a simple username is authentication. This is the AuthNoPriv level in which users are securely authenticated, but packets are still passed unencrypted. This level allows you to specify a different username and password for every user who requires SNMP access, giving you the accountability that you lack when using just a community string.

To configure SNMP v3 authentication, you must:

  1. Create an SNMP v3 group that is configured to use authentication with the snmp-server group command and the auth keyword.

  2. Create an SNMP v3 user in that group and give that user an authentication method and password. The auth keyword, followed by an authentication method, here md5, is followed by the SNMP v3 user password:

    Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server group AuthGroup  v3 auth
Router(config)#snmp-server user MyUser2 AuthGroup  v3 auth md5 MyAuthPassword
Router(config)#^Z

Now you can access the SNMP v3 information only by successfully authenticating yourself with the username MyUser2 and the password MyAuthPassword. Even though you are authenticating, you are still not using encryption and are at the AuthNoPriv level:

% snmpwalk -v 3 -u MyUser2
 -l AuthNoPriv -A MyAuthPassword RouterOne
system.sysDescr.0 = Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-IS56I-M), Version 12.1(1), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 15-Mar-00 03:45 by cmong
system.sysObjectID.0 = OID: enterprises.9.1.208
system.sysUpTime.0 = Timeticks: (1008588) 2:48:05.88
system.sysContact.0 = 
system.sysName.0 = RouterOne.kennesaw.edu
[ cut ]

Authentication/Encryption

Finally, there is the AuthPriv level, which uses both strong authentication and encryption. This level is the most appropriate level to use on secure networks. SNMP v3 requires separate passwords for authentication and encryption for each username. To configure a user to use authentication and encryption:

  1. Create a group that is configured to use both authentication and encryption using the snmp-server group command and the priv keyword.

  2. Create a user in that group to whom you assign separate authentication and encryption passwords using the snmp-server user command and the priv keyword. The auth keyword is followed by the authentication method, md5, and the priv keyword is followed by the encryption type, des56:

    Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server group AuthPrivGroup  v3 priv
Router(config)#snmp-server user MyUser3  AuthPrivGroup
 v3 auth md5 AuthPass  
priv des56 PrivPass
Router(config)#^Z

When you request SNMP v3 information from the router, you must use the correct username, authentication password, and encryption password. When you do, all communication is encrypted:

% snmpwalk -v 3 -u MyUser3 -l authpriv -A AuthPass -X PrivPass RouterOne
system.sysDescr.0 = Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-IS56I-M), Version 12.1(1), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 15-Mar-00 03:45 by cmong
system.sysObjectID.0 = OID: enterprises.9.1.208
system.sysUpTime.0 = Timeticks: (1008588) 2:48:05.88
system.sysContact.0 = 
system.sysName.0 = RouterOne.kennesaw.edu
[ cut ]

Warning

SNMP v3 uses an identification number called the engineID. This number is set on your router automatically. Both authentication and encryption functions rely on this number not changing. If you purposefully or accidentally change your engineID number, you will disable your current users and groups and will need to delete and re-create them.

Limiting SNMP v3 Access by IP

You can also use ACLs with SNMP v3 to further enhance your security. You can specify an access list at the group or user level. In either case, add the keyword access followed by the restricting ACL to any of the preceding snmp-server group or user commands.

The following example:

  • Creates an ACL that restricts access to the systems 130.218.9.12 and 130.218.9.14 with the access-list command

  • Creates an SNMP v3 group called Trusted that uses the ACL to restrict access for all members of that group with the snmp-server group command and the access keyword

  • Creates the users Jeff and Sara inside the Trusted group with the snmp-server user command

    Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 5  permit 130.218.9.12
Router(config)#access-list 5  permit 130.218.9.14
Router(config)#access-list 5  deny any
Router(config)#snmp-server groupTrusted  v3 auth access 5
Router(config)#snmp-server user jeff  Trusted  v3 auth md5 JeffsPass
Router(config)#snmp-server user sara  Trusted  v3 auth md5 SarasPass
Router(config)#^Z

Limiting IP addresses on a per-user basis is similar:

  1. Create an ACL that limits access based on IP with the access-list command. This example uses 130.218.12.5 and 130.218.6.3.

  2. Create a group that specifies authentication and encryption information with the snmp-server group command.

  3. Create users in this group and specify the ACL for each user with the snmp-server user command and the access keyword. The following example restricts Thomas to the IP 130.218.12.5 and Abigail to the IP 130.218.6.3:

    Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 6  permit 130.218.12.5
Router(config)#access-list 6  deny any
Router(config)#access-list 7  permit 130.218.6.3
Router(config)#access-list 7  deny any
Router(config)#snmp-server group AdminGroup  v3 auth
Router(config)#snmp-server user thomas AdminGroup  v3 auth md5 TsPass  access 6
Router(config)#snmp-server userabigail AdminGroup  v3 auth md5 AsPass  access 7
Router(config)#^Z

Limiting SNMP v3 Output with Views

Views can be applied to SNMP v3 groups, but not directly to users. The process is similar to creating views for SNMP v1 and v2c. When creating a group that restricts information with views, use the read or write keywords to indicate whether the view applies to read-only access or read/write access.

  1. Create a view restricting access to SNMP information with the snmp-server view command.

  2. Create a group to which you apply that view with the snmp-server group command. You can apply the view to read or write access. This example uses the read keyword so the view is applied to read-only access for this group.

  3. Create users inside the group with the snmp-server user command and they will be restricted by that group’s view.

The following example restricts all the members of group IpOnly to viewing the IP information (but nothing else):

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view IpOnlyView ip  include
Router(config)#snmp-server group IpOnly  v3 noauth read IpOnlyView
Router(config)#snmp-server user heather IpOnly  v3 
Router(config)#^Z

Now when Heather uses SNMP v3 to access the router, she will only get information about the IP protocol.

Finally, you can combine views and access lists. This example creates a group that restricts access to the single IP 130.218.250.5 and allows read-only access to the interface information and nothing more:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 10  permit 130.218.250.5
Router(config)#access-list 10  deny any
Router(config)#snmp-server view IntView interface  include
Router(config)#snmp-server group IntGroup  v3 auth read IntView  access 10
Router(config)#snmp-server user bob IntGroup  v3 auth md5 BobsPass
Router(config)#^Z

SNMP Management Servers

Finally, with all this effort to secure the SNMP access on the routers, you can’t forget the SNMP management station. Just as storing your router configurations on an insecure box can lead to a compromise, leaving your SNMP management server unsecured is an invitation for attack.

By its very nature, the SNMP management server must have the SNMP information for every system that it monitors. This information includes IP addresses, SNMP community strings, SNMP v3 usernames, and authentication and encryption passwords. Additionally, SNMP management servers must also have access to query each system, meaning that you must allow the server through your ACLs. Therefore, if an SNMP management server is compromised, an attacker has just gained access information for every system monitored on your network and also a platform from which to perform additional monitoring and attacks (since the SNMP management server will necessarily have SNMP access to the routers).

Therefore, in addition to hardening your routers, you must make sure that the SNMP management station is also secured.

SNMP Security Checklist

This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.

  • Disable SNMP, if it is not needed.

  • Use different community or authentication strings for each router, if possible. (This often become unmanageable.)

  • Make sure community strings and passwords are well chosen and not easily guessed.

  • Restrict all SNMP access to specific hosts through ACLs.

  • Restrict all SNMP output through the use of views.

  • Disable read/write SNMP access unless absolutely necessary.

  • If SNMP read/write access is configured, use the snmp-server tftp-server-list command to restrict SNMP-controlled TFTP transfers.

  • Disable SNMP v1 and v2c in favor of SNMP v3.

  • Under SNMP v3:

    • Make sure that SNMP v1 and v2c are disabled.

    • Use both authentication and encryption (AuthPriv) on your routers.

    • Use views to limit SNMP access to information.

  • Secure all SNMP Management Servers.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.137.127